Data Protection
Encryption in Transit
All data transmitted between your browser and CREAO servers is encrypted using TLS 1.2+. API calls to third-party LLM providers are also encrypted in transit.
Encryption at Rest
All stored data — including conversations, files, memories, and secrets — is encrypted at rest using AES-256 encryption.
Sandbox Isolation
Every chat thread and agent run executes in its own isolated Linux sandbox. Sandboxes are ephemeral, network-isolated from other tenants, and destroyed after use. Designed to prevent cross-tenant data leakage.
Secret Management
API keys and credentials stored as Secrets are encrypted at rest and managed via a dedicated secrets store. They are injected into sandboxes as environment variables at runtime and never logged or persisted in plain text.
Privacy
CREAO respects your privacy and gives you control over your data.What data does CREAO collect?
What data does CREAO collect?
CREAO collects the minimum data necessary to provide the service:
- Account data — email address, name, and authentication credentials
- Conversation data — messages, files, and artifacts you create during chat sessions
- Usage data — credit consumption, feature usage, and session metadata for billing and product improvement
- Memory data — facts and preferences the super agent saves on your behalf (you can view, search, and delete these at any time)
GDPR compliance
GDPR compliance
CREAO is designed with GDPR principles in mind:
- Lawful basis — we process data based on contractual necessity (to provide the service) and legitimate interest (to improve the product)
- Data minimization — we collect only what is needed to deliver the service
- Right to access — you can export your data at any time
- Right to deletion — you can delete your account and all associated data
- Right to portability — conversation and file data can be exported in standard formats
- Data processing — see the Subprocessors section below for a list of third parties that process data on our behalf
- International transfers — user data is stored in the United States. For EU users, data transfers are governed by Standard Contractual Clauses (SCCs) in accordance with GDPR Chapter V
- Data Processing Agreement — enterprise customers can request a DPA by contacting privacy@creao.ai
CCPA compliance
CCPA compliance
For California residents, CREAO provides:
- Right to know — what personal information we collect and how it is used
- Right to delete — request deletion of your personal information
- Right to opt-out — we do not sell personal information
- Non-discrimination — exercising your rights does not affect pricing or service quality
Cookie policy
Cookie policy
AI & Model Usage
Your data is not used to train AI models. Conversations and files sent to AI providers (Anthropic, OpenAI, Google, MiniMax, xAI) are processed under API agreements that prohibit use of your data for model training. This includes image inputs sent for generation tasks (for example, image-to-video with Veo). Providers may retain data briefly for abuse monitoring and safety as required by their terms, but never for training purposes.
How is data sent to AI models?
How is data sent to AI models?
When you chat with the super agent, your messages and relevant context (files, memory, skill instructions) are sent to the selected LLM provider via their API. All API calls use encrypted connections. Responses are streamed back to your browser in real time.
Which AI providers does CREAO use?
Which AI providers does CREAO use?
CREAO supports multiple LLM providers:
- Anthropic (Claude Opus, Sonnet, Haiku)
- OpenAI (GPT-4o, GPT-4o mini)
- Google (Gemini Pro, Gemini Flash, Veo for video generation)
- MiniMax (MiniMax M2.7)
- xAI (Grok)
What about code execution?
What about code execution?
Code generated by the AI runs in an isolated sandbox. The sandbox has no access to other users’ data, no persistent network access to internal systems, and is destroyed after the session ends. Generated files are stored encrypted and associated only with your account.
Security
Infrastructure
CREAO is hosted on AWS with network-isolated infrastructure, web application firewall protection, and DDoS mitigation.
Access Controls
Internal access follows the principle of least privilege. Production systems require MFA and are audited. No engineer has standing access to production databases — access is provisioned on-demand with time-bound sessions.
Audit Logging
All administrative actions are logged in an immutable audit trail. Logs include the actor, action, target resource, and timestamp. Audit logs are retained for 90 days.
Vulnerability Management
We run automated security scans daily covering dependency vulnerabilities, secret detection, and infrastructure configuration. Critical vulnerabilities are triaged and patched within 24 hours.
Responsible Disclosure
If you discover a security vulnerability, please report it to security@creao.ai. We acknowledge reports within 48 hours and aim to resolve critical issues within 7 days. Please do not publicly disclose vulnerabilities until we have had an opportunity to address them.Connectors & Skills Security
Connectors and skills are governed by different security models:- Connectors provide scoped access to third-party systems (OAuth/API-key based).
- Skills are instruction packages that shape agent behavior; they do not, by themselves, grant external access.
Connector trust model
- Connector actions require an active authenticated connection owned by your user identity.
- Tool execution is constrained by provider-specific allowlists and input validation.
- OAuth/account metadata is stored server-side; connector disconnect/delete removes or deactivates connection state.
- Sensitive token values are not returned in standard connector-list responses.
Skill trust model
- Official built-in skills are curated and shipped by CREAO.
- Custom skills are user-installed artifacts and should be treated as user-controlled instructions.
- Skills can influence what the agent attempts, but external access still depends on connected tools, provider permissions, and runtime safeguards.
Learn more
Subprocessors
The following third-party services process data on behalf of CREAO:| Subprocessor | Purpose | Data Processed |
|---|---|---|
| AWS (Amazon Web Services) | Cloud infrastructure, data storage, compute | All service data |
| Anthropic | LLM provider (Claude models) | Conversation messages, context |
| OpenAI | LLM provider (GPT models) | Conversation messages, context |
| Google Cloud | AI provider (Gemini models, Veo video generation) | Conversation messages, context, user image inputs for image-to-video generation |
| MiniMax | LLM provider (MiniMax models) | Conversation messages, context |
| xAI | LLM provider (Grok models) | Conversation messages, context |
| E2B | Sandbox execution | Code, files during execution |
| Stripe | Payment processing | Billing and payment data |
| Cloudflare | CDN, DDoS protection, bot detection | Request metadata |
| Sentry | Error monitoring | Error diagnostics (no conversation content) |
| Pipedream | Connector OAuth and integration relay | OAuth tokens for connected services |
Data Retention
| Data Type | Retention Period | Notes |
|---|---|---|
| Conversations & messages | Until deleted by user | Users can delete individual threads or all data |
| Generated files | Until deleted by user | Stored encrypted in cloud storage |
| Sandbox environments | Session duration + 30 min idle | Destroyed after inactivity timeout |
| Memory entries | Until deleted by user | Viewable and deletable from the Memory page |
| Audit logs | 90 days | Immutable, used for security monitoring |
| Account data | Until account deletion | Deleted within 30 days of account closure (per GDPR Article 17 and CCPA requirements) |
| Payment data | As required by law | Managed by Stripe; CREAO does not store card numbers |
Contact
| Contact | |
|---|---|
| Privacy and compliance inquiries | privacy@creao.ai |
| Data Processing Agreement (DPA) requests | privacy@creao.ai |
| Security vulnerability reports | security@creao.ai |